Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them

from the whoa dept

Bloomberg came out with quite a bombshell last night, discussing how lots of tech companies apparently work with the NSA and other government agencies, not to pass data on users over to the government, but to share exploit information, sometimes before it's public or patched -- in some cases so it can be useful for the US government to use proactively. Last month, we had written about how the feds were certainly collecting hacks and vulnerabilities for offensive purposes, but it wasn't clear at the time that some of these exploits were coming directly from the companies themselves.

The report names one major participant: Microsoft:

Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes.

Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

That's fairly incredible. You'd expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers.

The same report, once again, implicates the big telcos for their cushy relationship with the intelligence community -- in which the telcos willingly and voluntarily hand over massive amounts of user data. There's no oversight here, because the telcos apparently have no problem dismantling the privacy of their users.

Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said.

In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily.

The article later notes that the big telcos -- AT&T, Verizon, Sprint, Level3 and CenturyLink -- have all agreed to participate in a program called Einstein 3, which analyzes metadata on emails, but that all of the companies asked for and received assurances that participating wouldn't make them liable for violating wiretapping laws.

Before they agreed to install the system on their networks, some of the five major Internet companies -- AT&T Inc. (T), Verizon Communications Inc (VZ)., Sprint Nextel Corp. (S), Level 3 Communications Inc (LVLT). and CenturyLink Inc (CTL). -- asked for guarantees that they wouldn’t be held liable under U.S. wiretap laws. Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.

Suddenly the "blanket immunity" clauses in CISPA make a lot of sense. The whole point of CISPA, it appears, is to further protect these companies when this kind of information comes out.

There were many reasons for my decision to move from IE to Firefox years ago, but by far the largest reason was that it was taking Microsoft on average of about three months to patch vulnerabilities, whereas it was taking Mozilla about three weeks on average.

"That's fairly incredible. You'd expect Microsoft and other tech companies to be focused on fixing the bugs first, not letting the NSA exploit the vulnerabilities on foreign computers."

What makes you believe the companies are not working contemporaneously to fix a bug?

As for a heads-up to federal agencies, perhaps you would prefer simply saying nothing to them. A utopian ideal to be sure, but also one that casts aside opportunities that may redound to enhanced national security.

Oh, my NON-surprise! Mike omitted GOOGLE'S part:

'Following an attack on his company by Chinese hackers in 2010, Sergey Brin, Google’s co-founder, was provided with highly sensitive government intelligence linking the attack to a specific unit of the People’s Liberation Army, China’s military, according to one of the people, who is familiar with the government’s investigation. Brin was given a temporary classified clearance to sit in on the briefing, the person said.

According to information provided by Snowden, Google, owner of the world’s most popular search engine, had at that point been a Prism participant for more than a year.

Google CEO Larry Page said in a blog posting June 7 that he hadn’t heard of a program called Prism until after Snowden’s disclosures and that the Mountain View, California-based company didn’t allow the U.S. government direct access to its servers or some back-door to its data centers. He said Google provides user data to governments “only in accordance with the law.” '

Not that surprising

I am sure MS is not the only company that notifies the government of the country in which they operate immediately upon the discovery of a security flaw in software that millions of people use.

It is particularly important when a government has, you know, a GIANT DATABASE FULL OF TRACKING INFORMATION AND COMMUNICATIONS. I'd kinda like them to patch up their security problem as quickly as possible. It would be nice if they didn't have that giant honeypot of information, but while they have it, I'd like their engineers to know about a problem with their software as quickly as possible.

Re: Oh, my NON-surprise! Mike omitted GOOGLE'S part:

He didn't mention protests in Turkey or the Japanese eyeball licking story either. I'll leave it up to your deficient brain to work out why (hint: they have the same amount to do with the subject of the article).

Are you really reduced to just trying to whine and deflect in every article now? You guys have been serious uncreative this week, even by your meagre trolling standards.

Re: Not that surprising

You don't seem to understand. Very likely no party, including the government, can fix the vulnerability faster than Microsoft. Microsoft can distribute the fix to government users very quickly and I'm sure they do.

The purpose of giving the vulnerability information to the government can only be so that they can exploit it on foreign computers. Naturally, the NSA would never dream of hacking into domestic computers.

and people are still going to buy the new XBox? you must be out of your fucking minds! what do you think is going to happen to all the video and voice messages the console hoovers up? what about any of the touch screen devices and O/S that Microsoft has brought out? do you honestly think those devices are under your control every minute? get outta here!! and as for having to connect to the 'net at least once every 24 hours, what do you think that's for? to ensure what is on and in the console is genuine etc etc. it's so if you happen to have anything a bit hooky, they will know immediately when it 'pings back' to Microsoft and whoever else may be interested, like the entertainment industries! you will then be deep in it. the whole aim is to maintain control over people who do buy the console and take away your choice of what you do with something you bought and paid for. this is exactly the huge mistake Sony made with the PS3. notice how they have not made the same mistake again!! they know what will happen! shame Microsoft still thinks so little of it's customers as to want to have it's control over them!

Providing legal "permission slips" should be against the law

Those companies that asked received a letter signed by the U.S. attorney general indicating such exposure didn’t meet the legal definition of a wiretap and granting them immunity from civil lawsuits, the person said.

This should simply be illegal. For both parties. It should not be a valid defense to assert "I got a letter saying it was OK." And it should be illegal for any member of the executive or legislative branch to provide such an excuse. Where does it stop? Could one get a letter saying that killing someone is not murder?

I'm sure if the telcos had to ask their lawyers for permission, they would never hand the data over without a court order, and that's what we want.

well well...

I do not say this lightly, because it's my career to support and install Microsoft, and has been for almost two decades, but this basically is the final straw to move my entire life away from Microsoft.

Totally unacceptable. I'm done. I don't care if I lose my job by not learning the latest Microsoft blah, it's time. I don't care if I miss out on games on the platform, I'm done. I'll put up with strange linux finickyness, because that is less hassle at this point. way, way less hassle.

Re:

Well why do you think they made all that brow-ha-ha about Hauwei?

Why do you think everyone who cans is developing their own GPS systems?

This should be a pretty good indication of how those people really think, they will exploit anything, moral, immoral, right or wrong. After exploiting everything they will come up with excuses to justify the deed and try to dress it pretty just in case somebody sees it, which brings me to the point of secrecy, they of course will try to hide it from everyone.

This is exactly why transparency, whistleblowers, anonymity and even competition are important for a democratic free society.

Not much choice for M$

I'm not happy with M$. But I don't think they had much choice. I'm sure it was either said or strongly implied that the Government said something like this to M$:
"Now now don't fret comrade. I'm sure if you provide us with the necessary backdoor exploits then we'll make sure that you have no further trouble with the DOJ."

Re:

What makes you believe the companies are not working contemporaneously to fix a bug?

As for a heads-up to federal agencies, perhaps you would prefer simply saying nothing to them. A utopian ideal to be sure, but also one that casts aside opportunities that may redound to enhanced national security.

Why are you bringing reason to the discussion? This is TD! Spread the FUD! Spread the hate! Spread the distrust! But NEVER EVER build bridges or discuss important issues on the merits! Yeah!

Re: well well...

this basically is the final straw to move my entire life away from Microsoft.

I'm glad that you reached this conclusion, but I'm curious... why was this the final straw? This was already common knowledge (in the industry, anyhow), and is a trivial matter compared to the other ways that Microsoft has been helping the NSA for years (building back doors, etc.)

There's a reason that so many governments avoid using Microsoft products.

Re: Re:

Re: Re:

I guess you don't follow release information much. A lot of bugs on US-CERT have no patches and just mitigation measures when released. This includes MS, Apple, Sun, Adobe, Cisco, Juniper, etc.... I would suggest checking out a CVE:http://cve.mitre.org/data/downloads/allitems.html

Depending on how this is submitted to SCAP or directly would through some suspicion.

that and a nickel will get you...

Perhaps an interesting parallel. In the run-up to the Whitey Bulger trial, he wanted to use as a defense that the FBI authorized him to commit murder. The judge responded that it didn't matter whether they did so or not, because it would not have been legal for them to make such a commitment. Therefor, regardless of what he may have been promised by the FBI, he can be prosecuted for the murders.

Would be nice to see Microsoft, Google, Facebook and the telcos finding themselves similarly under the gun in the future. Even though congress passed a law stating that the corporations have immunity (and retroactively, at that!), it would be far from the first time that a law has been overturned when it was found to be unconstitutional.

Re: that and a nickel will get you...

You can dream, yes. I'd say that sifting through what is and what is not constitutional is of the utmost importance. Overturning that immunity is one of the few lights in the tunnel we currently find ourselves entering (in?).

Re: Re: Re: Re:

Wouldn't somebody have noticed traffic going out if the "appliance" routers were compromised? They don't need to check MY router. That's way too inefficient when it's already been noted that they just move into the building at AT&T headquarters and splice everyone's traffic (including yours).

I wonder how many man in the middle certs they have that they play to both sides so they can get that "encrypted" traffic.

Moving to Linux

This makes the decision to stay with Tux the Penguin a no-brainer; not that I was leaving. And it makes recommending Linux to others more of a no-brainer. I have would recommend to anyone move Linux and forget any MS software.

Re: Re: Re: Re: Re:

Wouldn't somebody have noticed traffic going out if the "appliance" routers were compromised?

Only if the (theoretical) back door were activated. And even then, the traffic could be easily disguised so as to look innocent.

That's way too inefficient when it's already been noted that they just move into the building at AT&T headquarters and splice everyone's traffic (including yours)

Router backdoors and the like are intended to facilitate intrusion, which allows for a more intense level of surveillance than just capturing all the internet traffic.

I wonder how many man in the middle certs they have that they play to both sides so they can get that "encrypted" traffic

That unknowable, of course, but they wouldn't need very many. There are only a small number of root CAs that are commonly used.

That's why, for maximum security, you shouldn't use one of the commercial CAs. You should run your own. (As well as avoid web services, the cloud, and any other third party services as far as possible. Nobody can be trusted, by law.)

Re: Immunity can't protect businesses from public backlash

If Hugo Chavez were still alive, the entire remainder of the Latin America would never hear the end of it all. Dude forked the Linux back in 2006 and created a Venezuelan version arguing exactly this sort of thing, and managed to convince the Brazilian Government to adopt a similar project, that got a reasonable success. Irony at its finest.

Re: Re:

They learned alright, why do you think the US government had to intervene to stop open source adoption everywhere threatening economic sanctions?

Also the US government is well aware of the problems with allowing others to produce critical stuff as the Hauwei bro-ha-ha showed everyone, not only that but all governments that can try to produce everything they need that includes but is not limited to GPS systems.

Now the people, well we are another story we allow companies to produce the things we need without acquiring the capabilities to do so if abuse happens, we allow monopolies that would stop us even if we tried and so we become slaves to masters that will hurt us all.

This is why, I don't want a SSN, I don't want the government being the sole responsible for my retirement and healthcare, I don't want to allow only pharmaceutical companies to produce medicine, I don't want to let copyright and patents fuck my world anymore, so I decided to do it myself.

I am intelligent, I am capable and I sure can learn, but most importantly I can pass that knowledge to others.
I see how piracy have thrived under the most harsh conditions possible and I am marveled by how it survives and thrives its resilience to adversity if for nothing else aside moral quandaries, that alone is just amazing. Could we do it to other parts of our lifes?

I am betting that we can, pirates survive and thrive because everyone knows how to copy those things, how can we apply that to healthcare, retirement, food, clothes, education and anything else we need?
I want to see a healthcare system that will be robust and resilient as pirates are and that only will happen if everybody knows how to produce medicine and equipment, if you knew you could build a home anywhere from scraps would you be afraid to be homeless? Taking that fear away is liberating, learning bushcraft taught me a lot about self sufficiency and the importance of it, something that all governments know by instinct and don't want to allow their population to realize, that they got the power to lift themselves when things get hard.

Sorry for the rant.

Food for thought:
We may not even need central governments to create functional societies, bees and ants can do it, why can't we, are we less capable?

Just thinking out loud here

But assuming that the US government's computer systems are mostly Windows, it's not exactly that surprising that Microsoft would warn the Feds about the zero-day exploits and not the general public.

I mean, considering that the US Government's new boogeyman meme is "CYBERTERRORISM! OH TEH NOES!", allow me to point out something that's being overlooked in the quoted text:

That information can be used to protect government computers and to access the computers of terrorists or military foes.

Considering that China's been so brazenly hack-happy lately against the U.S.' private sector, it's not surprising that Microsoft's tipping off it's home government and not anyone else. While it may not exactly trust the U.S. government (depending on your viewpoint) they certainly favor the government who's more likely to protect their intellectual property (trade secrets/copyright infringement) than the government who's more likely to actively steal their trade secrets, reverse engineer it, and then claim they built it on their own[China].

As for not telling the general public, well, I'm betting that that Microsoft thinks malicious state-sponsored hacker groups don't really care what John Q. Public has on his computer.

Now could groups like the NSA use these zero-day exploits for nefarious purposes? Yes they could.

Would they?

I'd say the chance of that (percentage-wise) is about the same percentage they use for determining a subject's "foreignness". 'Course, I'm being a little optimistic on that.

We live in an age where vulnerabilities are routinely found by many people, simultaneously, and where it's generally true that if the company is aware of a vulnerability in a released product, then so are the bad guys. Given that, I don't see any problem at all with MS giving vulnerability info to the government.

The problem, as I see it, is that they don't give that same info out to the public.

What's interesting about this is that the defenders of Microsoft's policy ignore the fact that Microsoft does not even ask the government what it does with the information, let alone extract a promise from them not to use it offensively. The government might well break such a promise but at least Microsoft would have done their due diligence vis-a-vis their customers. The fact that MS doesn't do this is very telling.

I now have another reason

why I will never so long as I breath use windows again. This is just another reason for moving entirely to a Free Software operating system,for all my computers.

After 35 years in the business, since 1975, with 20 as a windows administrator and programmer, and 10 on Linux systems, I can only advise all non Americans who value their privacy and security to switch to a Linux based operating system.

So What

So what? Everybody knows that and if can't figure it out you are pretty much an idiot. There is no privacy on internet just face it and stop bothering other people with pointless discussions or at least shut down the comments on such posts.

It's a little relevant

How much value is it to patch up your computer when you have google profiling everything you do on it and handing that data over?
Google has a much richer profile on you, your habits, searches, purchases, etc. than Microsoft has. They've been the most successful at creating the kind of online profiles and silent tracking of the kind of info crooked governments would be after. Just think if the Nazi's had a list of every website you went to, search you did, and everywhere you went and what you bought. That is google's bread & butter & why they offer so much "free" stuff. Your info is the coin they trade in.

I don't see why people are falling so easily to the sensationalism of this article. The NSA holds some of the nation's most valuable information. They use some Windows computers. Microsoft doesn't want to be held liable for the NSA being hacked. Therefore, Microsoft informed the NSA of the zero-day exploit so that they is forewarned. This is a very self-serving rationale for the security tip-off, but it makes perfect sense for Microsoft as a business. Being blamed for the loss of national intelligence would damage Microsoft far more than thousands of articles like these and millions of comments like these.
Also, the NSA actually might be able to write up a security wall faster than Microsoft could, because the the folks at the NSA are probably pretty well acquainted with their machines. Microsoft releases patches slower than they should, but to be fair, they do have to make sure that their patch works on every version of every computer in the world.

Re: Re:

There are "a lot" of leaks about US intelligence becoming almost tyrannic in it's capabilities and that's bad. Feel lucky I am not American, although in today's world everything is related...BUT America is not the only superpower out there, and I think not the biggest anymore...And it's quite concerning there are no disclosures on the others, especially China(or maybe I am not aware of them). And I bet u the Chinese spooks are a hell lot more ruthless.So really, the quite ones are the ones to be most concerned about. So I say, let China buy Windows and only Windows(in gov facilities), maybe that way some info will get to NSA and then hopefully leak to us.

Re:

"The NSA holds some of the nation's most valuable information."

Much of which they have no busi9ness holding.

"They use some Windows computers."

If security is such an issue with the use of that software, maybe they shouldn't. Those concerns simply highlight the danger of using a closed proprietary system for anything requiring high levels of security.

"Also, the NSA actually might be able to write up a security wall faster than Microsoft could, because the the folks at the NSA are probably pretty well acquainted with their machines"

Really? You're OK with a government agency using your tax dollars to fix the security fuck ups of a private company who charge you directly for the use of their software? Because you think they're more familiar with it than the people who made the buggy crap in the first place? Astounding.

Get real

Please. Get head out of sand. This strikes you as "incredible?" Nobody bothered to read about HB Gary Federal's work in this area and connect the dots? There's a huge market for this sort of stuff. Of COURSE you can ASSUME the government and other players have tons of zero-day exploits that MS doesn't even know about! Use some common sense! Really about the only way to communicate securely may be to call your buddy via modem directly and use encryption over the link.